Horizon PowerCLI: Modify existing Pool Settings

Earlier this year, I inherited several Horizon View environments that were not built with manageability in mind. I am working on a larger project to conduct a proper plan and design and rebuild these environments, but until that is complete I need to continue to support the legacy installations.

In these environments (Horizon 7.5.1), each user has their own manual pool which contains a single Windows 10 VM. There are 9 separate Horizon environments across different security zones This means each user has 9 manual pools and 9 desktops. We have approximately 75 users in each security zone, which gets us to just short of 700 manual pools across the 9 independent view blocks.

Ideally, we’d move all of the existing desktops into a new manual pool, and configure the pool settings one time in each zone, but for now I have chosen to change the settings on the existing pools with PowerCLI for Horizon.

There are a few configuration items we need to change:

  1. Do not allow user to select their Display Protocol
  2. Enable the “Allow user to reset their desktop” setting in all pools
  3. Change the maximum number of monitors from 1 to 2
  4. Disable Horizon HTML Access
  5. Set the View storage accelerator blackout time parameter

Working with Horizon PowerCLI and directly with the View API is not easy, it took me quite a bit of time to wrap my head around it.

Disclaimer: As always, be comfortable with the commands before running them in a production environment! I suggest thoroughly testing scripts that perform bulk actions like these in a lab environment.

The following steps assume that you already have the VMware PowerCLI modules installed from the PS Gallery.

First, you’ll need to obtain the “VMware.Hv.Helper” PowerShell module

https://github.com/vmware/PowerCLI-Example-Scripts/tree/master/Modules/VMware.Hv.Helper

Next, import the module by running “import-module VMware.HV.Helper.psm1″ from the directory you downloaded it to, or by copying the 3 files to C:\users\%username%\Documents\WindowsPowerShell\Modules\VMware.Hv.Helper” for a more permanent solution.

Now we’ll make the connection to your Horizon View Connection Server by running

$hvServer = Connect-HVServer -server <connection server IP/FQDN>

When prompted for username/password be sure to use your domain_name\username or username@domainname”

We can now query the pools by running “$pools = get-hvpool”. This will return all pools. I would suggest filtering the data from this variable for later use. For example, type “$pools.Base.Name” to return the pool’s Identifiers; or type “$pools.Type” to filter between manual and automated.

In my instance, I needed to run these commands on all manual pools, so very little filtering was required, which I accomplished using an if statement.

Let’s get to the commands.

Do not allow user to choose display protocol

foreach ($pool in $pools){
    if ($pool.Type -eq "MANUAL){
        set-hvpool -pool $pool -key 'desktopSettings.displayProtocolSettings.allowUsersToChooseProtocol' -value $false } }

Set maximum number of monitors to 2

foreach ($pool in $pools){
    if ($pool.Type -eq "MANUAL){
        set-hvpool -pool $pool -key 'desktopSettings.displayProtocolSettings.pcoipDisplaySettings.maxNumberOfMonitors' -value 2 } }

Allow users to reset their desktop

foreach ($pool in $pools){
    if ($pool.Type -eq "MANUAL){
        set-hvpool -pool $pool -key 'desktopSettings.logoffSettings.allowUsersToResetMachines' -value $true } }

Disable HTML Access

foreach ($pool in $pools){
    if ($pool.Type -eq "MANUAL){
        set-hvpool -pool $pool -key 'desktopSettings.displayProtocolSettings.enableHTMLAccess' -value $false } }

And the trickiest one for last. View Storage Accelerator blackout times. All of the pools in my environment have View Storage Accelerator enabled, but with no blackout times defined. This is not ideal, for example if a user happens to shut down their VM in the middle of the day, View sometimes sees that as an opportunity to recalculate the disk digest, which means the user is unable to get back into their VM for several minutes. For some reason, I have been unable to get a custom “VMware.hv.desktopblackouttime” array to be accepted by the set-hvpool command. What I’ve had to do is manually configure a sample pool with the correct blackout times in the Horizon Admin console, and then export those to a variable from PowerCLIl. I am then able to use the set-hvpool command successfully.

Set Blackout Times

$referencepool = get-hvpool -poolname 'ReferencePool'
$blktimes = $referencepool.ManualDesktopData.ViewStorageAcceleratorSettings.BlackoutTimes

foreach ($pool in $pools){
    if ($pool.Type -eq "MANUAL){
        set-hvpool -pool $pool -key 'manualDesktopData.viewStorageAcceleratorSettings.blackoutTimes' -value $blktimes} }

You’ll notice the “keys” are typed in camelCase. I had a lot of trouble figuring this out at first – it is case sensitive but I couldn’t find them typed like this anywhere in the API reference guide. It doesn’t seem to be a perfect rule, for example HTML is all caps in the desktopSettings.displayProtocolSettings.enableHTMLaccess key. I’d appreciate any feedback if you know a place where these are listed, or how to find them without guessing.

That’s all for now! Let me know if you have any other requests and I’ll be happy to try and figure them out when I have time!

PowerCLI: Check NTP status on numerous ESXi hosts

I was recently tasked with configuring and checking the NTP status on a large number of ESXi hosts over a dozen different networks/vCenters. I used Host Profiles to configure NTP but wanted a way to check the time on the hosts after the profile was pushed out due to complicated network firewall rules in place.

Use connect-viserver to connect to a vCenter server before running the script. This script will prompt you to enter a filename for the CSV output. The CSV contains hostname, status of the NTP service, the startup policy for the service, a list of the NTP servers configured, and the current time of the host.

cls
$input = Read-Host "Path for CSV Output"
$AllMembers = @()

foreach($myHost in (Get-VMHost)) {
$serviceStatus = Get-VMHostService $myHost | Where-Object {$\_.key -eq "ntpd"} | select Policy, Running

$myView = Get-View $myHost.Extensiondata.ConfigManager.dateTimeSystem

$ntpServers = Get-VMHostNtpServer $myHost

$allmembers+=new-object psobject -Property @{
Host = $myHost.Name;
StartupPolicy = $serviceStatus.Policy;
Status = $serviceStatus.Running;
ReportedTime = $myView.QueryDateTime();
NTPServers = $ntpservers.ToString();
}

}
$allmembers | Select-Object "Host", "Status", "StartupPolicy", "NTPServers", "ReportedTime" | export-csv -notypeinformation -path $input

Windows 10 Calculator and VMware’s article on an optimized Windows 10 image.

Several months ago, VMware released a great article (here) on creating an optimized Windows 10 image for VDI environments. One issue with the article is that they have a ‘scorched earth’ policy in regards to Windows 10 UWP apps – that is – they all get removed if you follow the guide. This is not acceptable to most customers, as the majority still want the Calculator app on their VDI image.

I spent many hours researching methods to add the calculator back in, and found many blog articles with commands that simply didn’t work.

I came across a blog article on how to add apps back after they were removed using the method VMware details, but it required downloading a 4GB file from the Microsoft VLSC.

This method worked, but it wasn’t ideal for the situation.

I’m a PowerShell novice, but I figured there had to be an easier way. There is.

VMware’s guide has you run the following commands:

Get-AppxPackage -AllUsers | Remove-AppxPackage

Get-AppxProvisionedPackage -online | Remove-AppxProvisionedPackage -online

We’ll add some qualifiers to exclude the Windows Calculator… the new commands are:

Get-AppxPackage -AllUsers | where {$_.Name -notlike "Microsoft.WindowsCalculator"} | Remove-AppxPackage

Get-AppxProvisionedPackage -online | where {$_.DisplayName -notlike "Microsoft.WindowsCalculator"} | Remove-AppxProvisionedPackage -online

If you need to exclude multiple apps, it would look like this:

Get-AppxPackage -AllUsers | where {$_.Name -notlike "Microsoft.WindowsCalculator"} | where {$_.Name -notlike "Microsoft.WindowsStore"} | Remove-AppxPackage

Get-AppxProvisionedPackage -online | where {$_.DisplayName -notlike "Microsoft.WindowsCalculator"} | where {$_.DisplayName -notlike "Microsoft.WindowsStore"} | Remove-AppxProvisionedPackage -online

There may be a more elegant way to do this, but it’s simple and works. I hope this saves you some time.

How to clear the VMware Verify configuration from your on-premise VIDM

VMware Verify uses a cloud service (Authy) to provide its functionality.  If you have a cloud hosted VIDM, your VMware Verify authentication adapter (MFAAdapter) comes pre-configured.    On the other hand, with on-premise VIDM, you are required to obtain a token from VMware support to enable the feature.

I found myself in a situation where the incorrect token was provided, and it needed to be replaced with a different one.  Unfortunately, once you enter the token in the UI and hit save, there is no easy way to clear it out and enter a different one.

The solution is to make an API call and delete the configuration for the MFAAdapter.

In this walkthrough I’ll be using the Postman app to make the API calls.  The VIDM version used in this example is 3.3.

The first step will be validate that we can authenticate and retrieve the current configuration using the GET command.  You’ll need to login to the VIDM web admin console (https://fqdn-of-vidm/SAAS/login/0) so we can obtain the value of the HZN cookie.

We’ll use Chrome as the example, but you can likely obtain the value in other browsers following a similar process.

Launch Postman and create a basic request.

Change the request type to GET
Enter the URL as https://fqdn_of_vidm/SAAS/jersey/manager/api/mfa/
Click “Headers”

Open Google Chrome, and login to the VIDM admin interface using the credentials for the built-in “admin” account.
Open the “Developer Tools” menu (F12 on a Windows PC)

Select “Application” and then expand the “Cookies” section.
Click on the URL that corresponds to the VIDM you logged into.
On the right side, copy the value of the HZN cookie to the clipboard.

Back to Postman.  You should still be on the headers page.  In the first row, type in “Authorization” as the key.  For the value, enter HZN and paste the value that you copied to your clipboard (note the space in-between)

Click Send

You should receive a reply that contains the VMware Verify key that you previously entered in the admin interface.  If you receive an error, you may need to disable SSL certificate validation within the Postman app as I did in the lab environment.

Important: Before issuing any delete commands, make sure you have a backup of the VIDM appliances and database!

When you are ready, change the GET to DELETE and click send.

You’ll notice that the output looks the same as before.  Don’t worry, that’s expected.

Go back to the VIDM admin console and pull up the settings for the VMware Verify authentication adapter.  The field for the Security token is back and ready for proper configuration!